Skip to content

Bump urllib3 from 2.6.3 to 2.7.0 in /python#13978

Merged
eavanvalkenburg merged 3 commits into
mainfrom
dependabot/uv/python/urllib3-2.7.0
Jun 17, 2026
Merged

Bump urllib3 from 2.6.3 to 2.7.0 in /python#13978
eavanvalkenburg merged 3 commits into
mainfrom
dependabot/uv/python/urllib3-2.7.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github May 11, 2026

Copy link
Copy Markdown
Contributor

Motivation and Context

Bumps urllib3 from 2.6.3 to 2.7.0 across the Python project, including the mcp_with_oauth demo, to pick up the latest security and bug fixes.

Description

  • Bumps urllib3 from 2.6.3 to 2.7.0 in python/uv.lock
  • Bumps urllib3 from 2.5.0 to 2.7.0 in python/samples/demos/mcp_with_oauth/uv.lock so the demo no longer resolves an older urllib3 version

Contribution Checklist

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file. Used by Dependabot. python:uv Pull requests that update python:uv code labels May 11, 2026
Copilot AI review requested due to automatic review settings May 11, 2026 17:07
@dependabot dependabot Bot requested a review from a team as a code owner May 11, 2026 17:07
@dependabot dependabot Bot removed the request for review from Copilot May 11, 2026 17:07
@moonbox3 moonbox3 added the python Pull requests for the Python Semantic Kernel label May 11, 2026

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automated Code Review

Reviewers: 4 | Confidence: 72%

✓ Correctness

This is a straightforward dependency bump of urllib3 from 2.6.3 to 2.7.0 in the uv.lock file, along with related constraint updates for boto3 (<1.41.0 → <1.43.0), google-genai (~=1.51.0 → >=1.51,<1.75), and pydantic (<2.13 → <2.14). All lock file changes are consistent with the dependency specifiers declared in python/pyproject.toml. The urllib3 2.7.0 release drops Python 3.9 support, but this project requires Python >=3.10, so there is no compatibility concern. CI tests run on Python 3.10, 3.11, and 3.12 only. The urllib3 2.7.0 release includes security fixes for decompression-bomb safeguards and header-stripping on redirects. No correctness issues found.

✓ Security Reliability

This is a lockfile-only dependency bump that updates urllib3 from 2.6.3 to 2.7.0, picking up two high-severity security fixes (decompression-bomb safeguard bypass and sensitive header leak on redirect via ProxyManager). The project already requires Python >=3.10, so urllib3 2.7.0 dropping Python 3.9 is not a concern. The accompanying version-range widenings for boto3, google-genai, and pydantic are routine upper-bound bumps. Package integrity is protected by sha256 hashes in the lockfile. No security or reliability issues found.

✓ Test Coverage

This PR updates the uv.lock file to bump urllib3 from 2.6.3 to 2.7.0 (which includes security fixes for decompression-bomb bypass and header-stripping on redirect), along with widened version ranges for boto3, google-genai, and pydantic. All changes are confined to the lock file with no application or test code modifications. Since no project behavior is changed—only transitive dependency versions are updated—there is no new behavior requiring additional test coverage.

✗ Design Approach

The urllib3 bump is incomplete for the Python tree: it updates the top-level SDK lockfile, but a documented demo project under python/samples/demos/mcp_with_oauth still carries its own uv.lock pinned to an older urllib3, so users following that demo path will continue to resolve the pre-fix version.

Flagged Issues

  • The documented python/samples/demos/mcp_with_oauth demo still carries its own uv.lock pinned to urllib3 2.5.0 (python/samples/demos/mcp_with_oauth/uv.lock:2414-2419), and its README instructs users to run from that directory (README.md:55-58). This PR does not fully remove the older urllib3 pin from the /python subtree.

Automated review by dependabot[bot]'s agents

Comment thread python/uv.lock
@github-actions github-actions Bot changed the title Bump urllib3 from 2.6.3 to 2.7.0 in /python Python: Bump urllib3 from 2.6.3 to 2.7.0 in /python May 11, 2026
Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.6.3 to 2.7.0.
- [Release notes](https://github.com/urllib3/urllib3/releases)
- [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst)
- [Commits](urllib3/urllib3@2.6.3...2.7.0)

---
updated-dependencies:
- dependency-name: urllib3
  dependency-version: 2.7.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot changed the title Python: Bump urllib3 from 2.6.3 to 2.7.0 in /python Bump urllib3 from 2.6.3 to 2.7.0 in /python May 11, 2026
Copilot AI review requested due to automatic review settings May 11, 2026 23:12
@dependabot dependabot Bot force-pushed the dependabot/uv/python/urllib3-2.7.0 branch from b590234 to 0b71933 Compare May 11, 2026 23:12

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

@moonbox3 moonbox3 left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved after current CI/CD checks are green.

@moonbox3

Copy link
Copy Markdown
Collaborator

@copilot: address the unresolved review thread by also bumping urllib3 in python/samples/demos/mcp_with_oauth/uv.lock so the documented demo no longer resolves the older urllib3 version, then rerun/fix CI/CD as needed.

Copilot AI commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

@copilot: address the unresolved review thread by also bumping urllib3 in python/samples/demos/mcp_with_oauth/uv.lock so the documented demo no longer resolves the older urllib3 version, then rerun/fi...

Done — updated python/samples/demos/mcp_with_oauth/uv.lock to resolve urllib3 2.7.0 (was 2.5.0) in commit Bump urllib3 from 2.5.0 to 2.7.0 in python/samples/demos/mcp_with_oauth/uv.lock.

Copilot AI requested a review from moonbox3 June 17, 2026 11:00
@moonbox3 moonbox3 requested a review from westey-m June 17, 2026 11:14

@moonbox3 moonbox3 left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved after Copilot addressed the nested urllib3 lockfile issue, branch was updated, and CI/CD is green.

@eavanvalkenburg eavanvalkenburg added this pull request to the merge queue Jun 17, 2026
Merged via the queue into main with commit 1608586 Jun 17, 2026
31 checks passed
@eavanvalkenburg eavanvalkenburg deleted the dependabot/uv/python/urllib3-2.7.0 branch June 17, 2026 12:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file. Used by Dependabot. python:uv Pull requests that update python:uv code python Pull requests for the Python Semantic Kernel

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants